"The UEFI secure boot mechanism has been the source of a great deal of concern in the free software community, and for good reason: it could easily be a mechanism by which we lose control over our own systems. Recently, Red Hat's Matthew Garrett described how the Fedora distribution planned to handle secure boot in the Fedora 18 release. That posting has inspired a great deal of concern and criticism, though, arguably, about the wrong things."

distro makers should not offer to voluntarily go with MS's lockout plan.

Except if they want to compete in the server business (RHEL vs. Windows Server 8). Having a checkbox to tick "protected boot process" might come in useful when trying to secure government contracts, whereas having that checkbox empty might hurt sales.
Even NIST is aware that firmware level attacks might be a problem.

MJG is paid by Redhat, and so he will work on what's best for them. Compiling your own kernel is so far down the requirements lists for enterprise servers that they don't care about it much. They just need a way to _somehow_ get around the lock-down for their own development (and the geeks) - and right now, there is.